Protect Your Android Applications from Software Piracy

With ProGuard support in the Eclipse ADT plugin, Android developers can maintain a level of protection in their Android application code.

You've probably heard some of the startlingly high statistics about the number of mobile applications that are illegally downloaded and installed on users' devices. For the application developer, the loss in revenue and other ramifications of software piracy are staggering; most developers try to take some steps to protect their intellectual property. Android developers have a powerful tool at their fingertips to ensure this type of protection -- ProGuard.

Android applications are generally developed with Java, a language well-known for fairly easy reverse-engineering. Part of what makes Java so susceptible is that the language supports reflection, or the ability to look up code objects at runtime by name. These labels are kept when the application is compiled. When someone knows what your application does (context) and can systematically inspect the elements of your code in a human-readable fashion, it takes only a short amount of time to unwind your hard work and take advantage of it. This is just one of the reasons Java applications are fairly easily reverse engineered.

Over time, various tools have been developed to make the process of reverse engineering more difficult. Many of these tools use code obfuscation technology of some kind -- a process where human-readable code is converted into context-less gobbledygook. In this way, the code becomes difficult to interpret and understand. ProGuard is one such tool, and it's now built into the Android plug-in for Eclipse. ProGuard obfuscates, shrinks, and optimizes your code. The end result is a smaller, more secure application package file.

Why Protect My Paid Android Applications?

Well, first of all: you wrote the app, you should be the one to reap the rewards, right?

Let's look at a typical scenario for a paid app. Many developers sell their applications on the Android Market. If you're one of them, then presumably, you want everyone who uses your application to pay for it. Your first problem was that people were somehow just copying your app and making it available for download on other sites. In response to this, you likely integrated with the Google License Verification Library so the application can confirm with the Android Market that the user actually paid for it and that it's installed on an approved device. But even after taking these measures, you still found that people were somehow copying your application and defeating the code.

In all likelihood, these intelligent -- yet nefarious -- developers were easily reverse engineering your app's code because it wasn't obfuscated. They could easily search for certain keywords within the binary. This is just one reason why it's crucial to obfuscate your code using a tool such as ProGuard.

Do I Need to Protect My Free Android Applications?

If your application is freely available on the Android Market and other sites, you might wonder why you should bother obfuscating your code.

Just because you're giving away the software doesn't mean that it doesn't contain valuable intellectual property or revenue-making items such as advertising-supported content that you can't allow to be defeated, misused, or misrepresented. The last thing you want is for your awesome, but not patented, technology to be copied immediately upon release simply because you left your work unprotected. If you have a multiplayer game that goes through servers, reverse engineering the code could allow someone to cheat and misuse your servers, too. And your wildly popular ad-supported application could have its ads turned off just as easily.

These are just a few of the many reasons why using a tool like ProGuard to protect your applications is important.

Configuring ProGuard for Your Android Applications

The reasons for using ProGuard are so compelling that the Android Development Tools plug-in for Eclipse (ADT) added automatic ProGuard support in ADT 8.0.0, which also includes everything needed for using ProGuard with Android. When you create a new Android application in Eclipse, the root of the project will contain a proguard.cfg file that provides the starting point for configuring ProGuard to run on release builds of your application. This alone, though, does not enable ProGuard for your application.

To enable ProGuard for you application, place the following line inside the default.properties file:

proguard.config=proguard.cfg

This setting will turn on ProGuard processing when you export a signed or unsigned APK file using the Android tools menu. Besides the added protection of obfuscation, a recent package file we used ProGuard on shrunk from 678KB to 518KB -- a savings of nearly 25%. Surely users will appreciate the faster downloads and more free space on their devices.

Note: Don't worry about the comments in the default.properties file that warn against modifying the file. The file will be modified, but in our experience, the config values we add, such as proguard.config, will remain untouched.

Dealing with Error Reports After Obfuscation

Now that your Android application source code is obfuscated, your error reports will also be obfuscated. Luckily, the ProGuard tool outputs a file named mapping.txt that later can be used to de-obfuscate the error report. Within the SDK tools directory, there is a directory name called /proguard. In that directory, you'll find a tool called retrace. This tool will take an obfuscated stack trace and make it readable again. The mapping.txt file is stored in a directory named proguard, found in the root of your project.

There's one important caveat, though. Every time you make a release the mapping.txt file is recreated. It's not necessarily the same every time. This means that each time you actually release an application to users, you'll need to keep the mapping.txt file and keep which release it goes with. Otherwise, stack traces will be basically useless to you.

Common ProGuard Problems and Solutions

While the default ProGuard configuration file created by the ADT plug-in works reasonable well for many Android applications, you can sometimes run into snags. The techniques that ProGuard uses to modify your source code can lead to some problems either during the ProGuard modification or on the released file. Some common problems and error messages include:

External libraries referencing other libraries you don't use -- usually results in many warnings, such as "can't find dynamically referenced class"

Paths with spaces -- usually results in the warning "'C:Program' is not recognized as an internal or external command"

The first error can be caused by external libraries that conditionally include other libraries that you don't use. A viable solution is usually to add a specific configuration value to not warn about each instance. You'll need to test carefully to make sure you actually aren't using the reference class. The following setting within the proguard.cfg file should suffice:

-dontwarn com.package.classname.**

The second error results from pathnames that contain spaces. This generally results from one of the tools you use being in a path that contains spaces. You either need to reinstall any tools that contain spaces, or look into alternate solutions. See this Stack Overflow page for more details.

Finally, the third error is caused by both the use of reflection and the only reference to the call being from the layout files. To solve this problem for all such click handlers, place the following in your proguard.cfg file:

-keepclassmembers class * {
public void *(android.view.View);
}

This tells ProGuard to keep any method call in any class that takes a single View object parameter. This may be over-aggressive, but it is simple, easy to maintain, proven for our own applications, and hasn't increased the size of the resulting package appreciably.

For other problems, we recommend checking the documentation for ProGuard or searching in Android support forums.

Conclusion

ProGuard is a useful tool for protecting your Android applications as well as making them smaller and more efficient. Enabling ProGuard is now very simple within Eclipse with the ADT plug-in. However, you must be aware that it changes the code inside the packages and may have implications in your application. Therefore, be sure to thoroughly test the release version of your application prior to release. For Android developers, there's little excuse not to provide at least this moderate level of protection to your application source code.

Advertiser Disclosure:
Some of the products that appear on this site are from companies from which QuinStreet receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. QuinStreet does not include all companies or all types of products available in the marketplace.